[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: encrypt password by md5 twice?

Zhang Weiwu wrote:
Dear everyone

I am planing to migrate an Intranet info system to authenticate with
OpenLDAP, so more of our business can be done with the same login. The
old system uses their own SQL table to store user information, no
problem, I can write a script to convert to LDIF format. But md5 was
used to encrypt user password, and the developer of that system knows
md5 is cracked, so he encrypted the md5 hash with md5 method again.

clear text password --> md5 hash --> md5 hash of the md5 hash

My question:

   1. Have you ever heard this solution to avoid md5 crack? Now as I
      cannot reach the original system author, I wonder how this idea
      come to be (e.g. why not using SHA).

not heard of it.

2. Does it work? (is md5 hashed md5 hash much safer with no side-effect?)

Sounds like it would take twice as long.

   3. Now, how we can migrate this system to use openldap. AFAIK
      openldap have no direct support for such hash. There are a lot of
      users of the system and there will be problems if migration is
      done and everyone's password is reset..

You'd have to get everyone to type in their md5 hash ;-)

You've no choice but to reset all passwords. Seems like the best time to do it under the "migration" umbrella.


Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).